Syscheck - how to monitor directory without subdirectories

[alextodicescu]

Hi,

I'm trying to determine if it's possible to configure ossec syscheck to only monitor the current directory, without it's subdirectories.
For example, say we have the current filesystem structure
/
/dir1/
/dir1/file1
/dir1/dir2/
/dir1/dir2/file2

I would like to monitor the files in /dir1, so I will configure syscheck with the following:
<directories check_all="yes">/dir1</directories>

However, this will also monitor subdirectories of /dir1. I've tried a few options using <ignore> statement without any luck.

Appreciate any help here.

[ddpbsd]

There's currently no "no recursive" option for syscheck. It's something I've considered recently though.
The best you could do is possibly using <ignore> options to ignore what you don't want to see.

[alextodicescu]

Thanks @ddpbsd for the reply. Yep, it would be a nice feature to have.
The use case for it would be: having subdirectories with temporary/volatile files that you want to ignore from monitoring.

How would an <ignore> regex for all subdirectories look like? Tried validating a few regex with /var/ossec/bin/ossec-regex but had no joy.

[ddpbsd]

Pull request #1597 adds a no_recurse option.